11
COGNITIVE ENGINEERING

INTRODUCTION

For the next two to three decades the information sciences and human factors disciplines must play a different and more fundamental role in aeronautics than in the past, if aeronautical technology as a whole is to be advanced. Great improvements in vehicle characteristics and performance may be possible, but they cannot be realized effectively without accommodating major bottlenecks in system capacity, safety, and operations. To make these accommodations and improvements, information sciences and human factors will play central and enabling roles: information sciences to permit expanded capacity with safe operations and human factors considerations to achieve a well-balanced and highly integrated transportation system.

In the context of this study, the term ''information sciences'' includes the methods and systems for acquiring, storing, retrieving, distributing, checking and cross-checking, validating, transmitting, and displaying information needed in the operations of aircraft. It includes information used on-board the aircraft as well as external to the aircraft, such as air traffic management (ATM) information.

The term "human factors" is used here to characterize human attributes and behavior as they relate to all facets of the ATM system. These include decision making, control, monitoring, strategic and tactical planning, and supervisory or other such behaviors as they interact with the vehicle and all elements of the ATM system. The emphasis is interactive and interdisciplinary; the goals are to optimize performance and safety in all elements of the overall ATM system.

The interdisciplinary activities associated with information sciences and human factors seem to demand an approach that is related to how people perceive data, convert these data to integrated information, and use this information as a basis for making a decision. Indeed as the power of computers is increased, a logical next step is to allow air crews to do what people do best and allow the computer to support these activities and carry out whatever other tasks are necessary. (In a sense, this is the inverse of the current approach.) This human-centered activity is a potential application of cognitive science to practical problems. Such human-centered activity involving multidisciplinary engineering activities and cognitive science is



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 243
Aeronautical Technologies for the Twenty-First Century 11 COGNITIVE ENGINEERING INTRODUCTION For the next two to three decades the information sciences and human factors disciplines must play a different and more fundamental role in aeronautics than in the past, if aeronautical technology as a whole is to be advanced. Great improvements in vehicle characteristics and performance may be possible, but they cannot be realized effectively without accommodating major bottlenecks in system capacity, safety, and operations. To make these accommodations and improvements, information sciences and human factors will play central and enabling roles: information sciences to permit expanded capacity with safe operations and human factors considerations to achieve a well-balanced and highly integrated transportation system. In the context of this study, the term ''information sciences'' includes the methods and systems for acquiring, storing, retrieving, distributing, checking and cross-checking, validating, transmitting, and displaying information needed in the operations of aircraft. It includes information used on-board the aircraft as well as external to the aircraft, such as air traffic management (ATM) information. The term "human factors" is used here to characterize human attributes and behavior as they relate to all facets of the ATM system. These include decision making, control, monitoring, strategic and tactical planning, and supervisory or other such behaviors as they interact with the vehicle and all elements of the ATM system. The emphasis is interactive and interdisciplinary; the goals are to optimize performance and safety in all elements of the overall ATM system. The interdisciplinary activities associated with information sciences and human factors seem to demand an approach that is related to how people perceive data, convert these data to integrated information, and use this information as a basis for making a decision. Indeed as the power of computers is increased, a logical next step is to allow air crews to do what people do best and allow the computer to support these activities and carry out whatever other tasks are necessary. (In a sense, this is the inverse of the current approach.) This human-centered activity is a potential application of cognitive science to practical problems. Such human-centered activity involving multidisciplinary engineering activities and cognitive science is

OCR for page 243
Aeronautical Technologies for the Twenty-First Century Recommendations General NASA should conduct broad-based, interdisciplinary research into the causes, nature, and alleviation of human error, with specific reference to airborne and ATM environments. The most promising theories and experiments should be pursued as part of a continuing, long-range effort aimed at accident reduction. NASA should lead in the development and validation of training and operational strategy and tactics that are intrinsically tolerant to situations demanding divided attention operations by the individual or crew. NASA should work with FAA and industry to address the total human/system concepts and develop methods to ensure valid and reliable system operations. Specific NASA should conduct research to develop and demonstrate techniques to improve the pilot's situational awareness and spatial orientation. In addition to its work with the National Incident Reporting System, NASA should work with the FAA and the National Transportation Safety Board to analyze all available data on aircraft accidents and incidents to determine the history and trend of human errors, contributing factors, type of equipment involved, and other relevant matters. NASA's research in error alleviation should include: systems that can detect developing critical situations, independent of the crews's alertness, and inform and assist the crew regarding appropriate corrective measures; concepts, methods, criteria, and the technology for error-tolerant system design; and development of prototype, "massively smart" interfaces, both in the simulator and in the air. NASA, with FAA involvement, should extend its investigations of highly reliable avionics to total system concepts applicable to ATM automation. NASA should continue its research into four-dimensional guidance algorithms and simulation techniques for ATM. denoted by the term "cognitive engineering." That term is used throughout this chapter to express the synergy between the traditional disciplines of information science and human factors. The treatment of cognitive engineering is divided between this chapter and that on Avionics and control (Chapter 10). For the most part, Chapter 10 covers the airborne systems and equipment that implement the on-board information and human factors requirements. This

OCR for page 243
Aeronautical Technologies for the Twenty-First Century Benefits of Research and Technology Development in Cognitive Engineering Enhanced Air Traffic Management System Performance Effective information management Enhanced communication Greater situational awareness Integrated global system Enhanced Safety Error avoidance and alleviation Greater understanding of interactions between humans and automated systems Greater understanding of human error Error-tolerant design More effective training and skill maintenance Aircraft and Engine Design and Development Integrated systems Technology validation chapter treats those aspects that deal primarily with interactions between humans and machines. These include the content and format of information that allows crew members to interact with each other and with the on-board automation, ATM personnel, and ATM automation; the transfer of information between crews and the ATM system; and information required within the ATM system. There are two overriding, interwoven themes in this treatment. Expressed as key challenges, they are: (1) the improvement of overall ATM performance, and the enhancement of safety. That the first challenge exists is obvious to even the most naive user of the existing ATM. The technical answers to performance and capacity improvements are the introduction of advanced new aircraft, equipment, and facilities into the transportation system. The second challenge may not be so obvious, because the existing ATM is one of the safest ways ever developed for point-to-point travel. The introduction of advanced avionics, glass cockpits, new training procedures, and more reliable systems and subsystems in aircraft since the beginning of the wide-body jet era has probably played a part in establishing the current downward trend of total accidents in the United States. There are insufficient statistical accident data since the introduction of the newest transport aircraft (MD-11, 757, 767, 747-400, A320) to fully evaluate the safety improvements achieved with application of advanced technology and the existing human factors guidelines. It is clear that the traveling public will insist on maintaining a high safety record (as measured by absolute number of accidents, not rate

OCR for page 243
Aeronautical Technologies for the Twenty-First Century of accidents) as the number of passenger-miles flown each year doubles, at least, over the next few decades. Historically, human error has been cited as the cause of 70 percent of aircraft accidents. This percentage has been remarkably resistant to major advances in aeronautical technology and seems to border on a universal constant. Near accidents and incidents are increasing, and expanded operations increase the exposure and the risk. In the final analysis, safety will continue to depend on the human elements in the overall system, which starts with preliminary conception and continues through operations. Consequently, human error as the cause of a great majority of accidents is unacceptable for an expanded and enhanced ATM and must be reduced. This chapter discusses the Committee's findings and recommendations regarding the future of cognitive engineering as it relates to the field of aeronautics. The boxed material summarizes the primary recommendations that appear throughout the chapter, with specific recommendations given in order of priority, and the benefits that can be gained through greater research and development in cognitive engineering. VISIONS FOR 2020—PRECEDENTS AND CONTEXT FOR RESEARCH ACTION This report attempts to look ahead two to three decades. Details of the then-existing air transportation system are somewhat obscure. As an attempt to pierce this veil to discern the key challenges faced by human factors and the information sciences, the approach taken here begins with an outline of some tentative "visions" or goals for 2020. These "strawman" concepts have been selected to serve as goals on which to orient, structure, and/or inspire the establishment of research needs. The strawmen are broadly based, with indefinite time scales; thus, the actual satisfaction of research needs may have parallel flexible time scales. The visions are in three broad categories: Those desirable systems, features, and characteristics that are assumed by the Committee to be present in 2020: these must precede or be concurrent with vehicle developments, which in one degree or another rely on them. ATM systems—two extremes: a centralized ground-based ATM system based on evolution from the National Airspace System; a distributed, combined, space- and ground-based ATM. This global, cooperative system would provide optimal operational capability, surveillance, blunder detection, automated digital data and voice communication, collision avoidance, and conflict potential, via centralized computing facilities. Position measurements for all flight operations (including autoland and ground movements) would be derived from the Global Positioning System (GPS) or its 2020 equivalent.

OCR for page 243
Aeronautical Technologies for the Twenty-First Century Supervisory telerobotic human/machine systems: these cover a broad spectrum of adaptive-role human/machine systems, the most elaborate being hybrid-synergistic human/automation systems with dual-role bilateral operations. That is, the system performs operations, surveillance, monitoring, and backup with either the human or the automation as primary in a given role (with the other element then in backup). 2020 examples of this type of system might include: pilot/copilot/cockpit automation; ATM, space, and terrestrial operations of all sorts (proximate or remote). It is expected that these advanced systems will be based on a clearly stated "human-centered" automation philosophy,1,2 and that they will have agents to manage information, to manage tasks, and to monitor and remediate errors. In other words, the system will be designed to allow people to do what they do best, with machines playing a supplemental role. Aeronautical Vehicle Visions for 2020 In discussions of vehicle possibilities, some assumptions have been made about the availability of certain human- or automation-oriented equipment, facilities, or capabilities in the early twenty-first century. One role of cognitive engineering in this era is to enable these assumptions to become reality. Some assumptions are implicit, such as equivalent safety of operations, whereas others are explicit. The latter are mentioned in several places throughout the vehicle sections. These include: integrated satellite/on-board systems permitting: on-board en route navigation and position fixing; elimination of separate Terminal Collision Avoidance System (TCAS); routine Category IIIc operations—elimination of microwave landing systems (MLSs) and instrument landing systems, and very high frequency (VHF) omnidirectional range approaches; and fully integrated cockpit and ATM system. Information sciences is an enabling discipline for all of these advanced systems. The following are among the implications for human/machine interface systems: 1   Billings, C.E. 1991. Human-Centered Aircraft Automation: A Concept and Guidelines (NASA Technical Memorandum, No. 103885). Washington, D.C.: National Aeronautics and Space Administration. 2   Rouse, W.B, N.D. Geddes, and R.E. Curry. 1987. An Architecture for intelligent interfaces: Outline of an approach to supporting operators of complex systems. Human Computer Interaction 3:87–122.

OCR for page 243
Aeronautical Technologies for the Twenty-First Century no manual reversion; displays and sensors: (1) for situation awareness, and (2) nonmoving sidearm controller (as a reduced awareness "display" for both the "pilot flying" and the "pilot not flying;" operational aspects of glass cockpit airplanes, such as: (1) tunneling attention and action, to the exclusion of other crew functions, and struggling with the automatic controls command settings "to make the airplane do something it clearly doesn't want to do," instead of disengaging and manually flying to the desired condition; overreliance on automation in nonnormal situations; transitions from one flight phase to another, from one control mode to another, from normal to abnormal situations; and enhanced surveillance systems. These advanced systems to support advanced vehicles may also bring an additional legacy of awkward human factors problems, for example a tendency toward crew complacency and overreliance on automation; boredom/fatigue; a greater need for discipline and orderly joint sequences as automation increases; several different, nonstandard, cockpit automation systems in a given airline fleet; shorter times between new equipment generations, with more frequent shakedown of new systems and needed crew transitions due to rapid changes in the technologies and the equipment production base; and potential for additional workrelated stress due to systems demands, capacities, and economic impacts (e.g., "go" pressure). Air Transportation System Visions for 2020 Two versions of potential operational environments that might exist in 2020 are defined as the bases for identifying required research and development and innovative concepts in cognitive engineering. The first is an extrapolation of the evolving Federal Aviation Administration (FAA) ATM system and the corresponding extrapolation of aircraft/systems technology. This scenario is based on a paper describing the FAA view of the ATM in the twenty-first century.3 The system is referred to here as the "evolutionary" system. The challenges in cognitive engineering for this system also tend to be evolutionary, albeit not trivial. There have been major programmatic responses to the emerging requirements of this evolutionary ATM system, containing both airborne and ground-based constituents. The 3   U.S. Department of Transportation. 1990. Moving America into the 21st Century—FAA Strategic Plan.

OCR for page 243
Aeronautical Technologies for the Twenty-First Century National Aeronautics and Space Administration (NASA) Aviation Safety Automation Program is ongoing, and the National Plan for Aerospace Human Factors4 is in its initial stages. The second potential operational environment is a visionary projection of what might be possible from a technical viewpoint that ignores, for the moment, implementation issues. This "visionary" ATM system is intended to motivate innovative thinking and creative ideas that are more advanced than those needed for the evolutionary ATM system. Table 11-1 outlines the key features of the two scenarios. It is important to note that the visionary scenario portrays the technical possibility of fully automatic aircraft operations, with the ATM system providing the primary means of operating and managing most air traffic flow from gate to gate. This could imply the total removal of humans from the cockpit and ATM control rooms. Indeed, it would, in principle, reduce on-site human involvement and the direct attribution of human error to crew. It would also have economic consequences that could be favorable to direct operating costs. However, a fundamental problem is we do not have historical data on how many accidents have been prevented by human presence and intervention that would not have been prevented by an automatic system. Although it would be virtually impossible to establish such a data base, the capacity of humans to recognize and correct things that have gone awry is an enormously valuable and uniquely human attribute. In fact, with a human-centered automation philosophy the pilot will be in ultimate charge because (1) this is the natural preference of flight and operating personnel, for many reasons, including poor or unpredictable performance of automation; (2) pilots must have authority if they are responsible for safe flight operations; and (3) experience to date strongly suggests that better performance of the total human/automation system will occur if humans are in charge. The Committee believes that the closest full automation likely by 2020 involves a scenario in which the primary operational mode for most aircraft and the ATM is automatic, with humans actively engaged in higher-level (strategic) decision making, supervising and monitoring operations, and taking direct control if necessary. The crew and ATM monitors would have automated tools to aid them in supervision, monitoring, and control takeover. There would also be automatic surveillance—independent systems to monitor the normal automated system and/or human actions when humans are in control. These monitoring systems would advise humans when their actions appear to be inappropriate, based on understood intentions and a projection of consequences. Supervisory Telerobotic Human/Machine Systems Visions for 2020 The last type of strawman system to serve as a possible focus for cognitive engineering needs is the most elaborate and multifunctional. It includes aiding, control, monitoring, 4   U.S. Department of Transportation. 1990. The National Plan for Aviation Human Factors. Volumes I and II (draft). Washington, D.C.: Federal Aviation Administration.

OCR for page 243
Aeronautical Technologies for the Twenty-First Century TABLE 11-1 Key Features of Two Scenarios for the Air Transportation System in 2020   Evolutionary Visionary Operating environment Operating environment information (OEI) from ground-derived sources augmented with aircraft data (i.e., winds aloft, windshears, severe weather, runway conditions, and wake vortices). Doppler radar at major airports. Realtime weather observations from aircraft, air data sensors, intertial navigation system (INS), and windshear sensors transmitted to ground stations and integrated with ground-derived observations. Sophisticated weather models to provide weather predictions in a timely manner to the aviation community. OEI from integrated sources using space sensors, ground sensors, and aircraft data. Real-time updates provided to all aircraft via data links for their route and alternates if requested. OEI data to include those listed to the left plus short-term weather forecasts along planned route, including icing conditions for GA and helicopters. Real-time data and short-term predictions of landing conditions, including vortex wakes, windshears, severe turbulence, thundershowers, and microbursts displayed to crew and to ground monitors. Aircraft position, surveillance, and maneuver intentions Altitude reporting secondary surveillance radar transponder augmented by Global Navigational Satellite System (GNSS) is (possibly) the basic source of aircraft positions. Ground-based surveillance using secondary radar. Primary radar to detect aircraft blundering into terminal control areas as backup to secondary radars. Surveillance over ocean and in low-density en route airspace to be by satellite-based Automated Dependent Surveillance (ADS) using on-board navigation system data linked to ground station via satellite. Airport surface position via radar augmented by SSR Mode S multilateration or GNSS. GNSS augmented by INS is the primary aircraft position system. Data link aircraft-derived state vector to ATM center for position and maneuver intentions. Altitude-reporting SSR transponder for backup and minimum-equipped aircraft. Satellite-based ADS using GNSS and data linked to ground station via satellite for global surveillance. GNSS augmented with ground-based sensors for airport surface position. Procedures, separation standards, and collision avoidance Use of cockpit display of traffic information (CDTI) and crew involvement in separation standards for aircraft with more accurate and reliable guidance systems. TCAS to provide backup separation assurance to the ground-based ATM system. CDTI used for in-trail station keeping on arrival and separation monitoring on departure to operate at lower minima. Flight crews to resolve local separation problems en route (low-density situations) and over oceans with CDTI. Use CDTI for crew monitoring automated aircraft separation in addition to ground monitoring. Accurate prediction of vortex wakes allows minimum separation at landing to be set by aircraft ground-handling capacity and allowances for anomalies. Collision avoidance integrated into the automatic ATM plus independent on-board system integrated into CDTI as monitor and backup to automatic ground/data link system. CDTI used to monitor ground traffic while taxiing.

OCR for page 243
Aeronautical Technologies for the Twenty-First Century   Evolutionary Visionary Traffic flow, information, and ATM automation Real-time flow management automation tools to offer flow strategies to adapt for traffic, terminal area, and airport conditions. Shared flow strategy decision making between aircraft crew and ground-based ATM. Short-term prediction of airport capacity. Tight integration of the central flow management process. Automatic four-dimensional management for gate to gate as normal procedure for most aircraft. Exception to flow management for older and GA aircraft without four-dimensional systems and off-nominal operations of other aircraft. Automation tools for integrating four-dimensional and non-four-dimensional aircraft. Tight integration of the central flow management process. Computer-generated clearances issued to aircraft via data link. Controller monitors operation and intervenes selectively. Automated ATM will include the ground segments to allow for positive control from gate to gate. Special-use airspace and ATM procedures to enable advanced rotorcraft operations separate from normal traffic at major hubs.   User to negotiate best trajectories with ATM system. Tactical management system monitors aircraft progress and intervenes only when necessary to meet ATM constraints. Negotiations are between aircraft flight management system and ground ATM system. Flight crews and ATM managers are kept informed so they can intervene if necessary. Will use four-dimensional clearances. Ground air traffic managers to integrate aircraft not equipped with four-dimensional flight management systems. Continuous 24-hour prediction of airport capacity. Navigation, guidance, takeoff and landing Primary terminal, en route, and oceanic navigation by GNSS. Category I approach and landing aids by GNSS together with ground-based aids (i.e., differential GPS). Category III provided by MLS. Primary terminal, en route, and oceanic navigation landing and ground control to be GNSS augmented with INS and ground aids for Category IIIc. Automatic takeoff and ground operations (from and to gate) possible. Use of synthetic vision/enhanced vision systems for monitoring Category III landings and ground operations. Communications HF communication in polar regions. VHF voice and data communications continue to be used. Satellite communications to be used over oceans and some land areas. UHF satellite communications for all voice and data communications.   Extensive use of data links between ground and flight deck. Open system interconnection (OSI) incorporated to ensure interoperability of satellite, Mode S, VHF, and terrestrial data transmission systems.  

OCR for page 243
Aeronautical Technologies for the Twenty-First Century supervisorial, and surveillance aspects. Examples of the aiding elements follow from the visionary ATM described above. These include automated tools that aid the humans in supervisory, monitoring, and control roles; advisors of inappropriate actions; and projection of consequences. To enable these tools to operate most effectively, they must be based on an understanding of how humans perceive and process information. Current concepts include using advanced computer and software systems to serve as "associates" for pilot and air traffic control personnel. Other features follow from current human/vehicle control systems, such as automatic flight management, guidance, and control systems. At the simplest level this is a pilot-controlled "effective vehicle," in which the effective aircraft comprises the airplane plus stability and command augmentation system. The stability and command augmentation system (SCAS) corrects any dynamic deficiencies of the bare airplane. Flight management and guidance for manual operation are accommodated with displays such as flight directors, which, in company with the SCAS, create an effective vehicle that handles well and possesses "good" flying qualities for all operational modes. At the next level is automatic flight control, in which the pilot is removed from direct flying operations but still makes command decisions, exerts control of flight modes, inserts commands, and monitors operations. Some of the monitoring cues are provided by the same displays used in manual control, whereas other monitoring cues stem from the aircraft's behavior in response to commands and disturbances. These are also "flying qualities," albeit those for intermittent or unattended operation by the pilot. Finally, there is completely automatic flight management, guidance, and control, in which the autopilot is coupled to flight management systems without human intervention, but with human initiation and monitoring. The final feature is automatic surveillance (i.e., independent systems to monitor the normal automated system or human actions when humans are in control). Monitoring operations in general are those associated with ensuring that any abnormal situations are properly detected and identified; the additional dimension of surveillance is independence, even detachment, of the oversight. This is essential for the detection of "blunders," which typically occur when individual operations are apparently proceeding properly but the total picture is one of incipient catastrophe. A major distinction between monitoring and control tasks is that pilots and automation may perform the same monitoring task simultaneously (in parallel), whereas control tasks are performed by either the crew or the automation. One result of this dichotomy is that there is no upper limit to the automation of monitoring tasks since they will not interfere with the pilot if they are well implemented. Therein lies a major challenge. From the information sciences standpoint these human/automation systems will contain at least three major components: interface manager—provides flow of information to the pilot and crew in a form that allows for most effective use; preserves priorities and maximizes effective flow via message scheduling and formatting;

OCR for page 243
Aeronautical Technologies for the Twenty-First Century error monitor/identifier—logic to monitor for errors, to identify and evaluate the impact of errors including systems to infer the pilot's intent; and task manager—''chief of staff''—sets priorities sensitive to the intent of the executive, determines what gets through, and responds to orders. Several supporting elements are critical to the success of an advanced human/automation system. These include the "pilot intent inferencing system" noted above with the error monitor/identifier; a "pilot model of capabilities/resources/limitations," and a "world/system model." These elements support error evaluation (i.e., using the world/system and capabilities/resources/ limitations models). The supervisory telerobotic human/machine systems envisioned here thus include all the features exemplified above combined into a hybrid-synergistic human/automation system with dual-role, adaptive bilateral operations. That is, the system performs operations, surveillance, monitoring, and backup with either the human or the automation as primary in a given role (with the other element as backup). Some 2020 examples of this type of system might include pilot/copilot/cockpit automation; and ATM, space, and terrestrial operations of all sorts (proximate or remote). TO MAKE GOOD THE VISIONS What stands in the way of the execution of such visions? The primary technical factors include effective human/automation interactions for airborne and ground-based systems/operations; design, development, invention as needed, execution, and validation of sufficiently reliable systems of hardware and software; effective management and distribution of the necessary information to active, passive standby, and monitoring nodes; validation that the systems would substantially increase capacity and overall performance/safety; and implementation plans and procedures that meld the new features into the existing system without disruption. The last factor is particularly difficult because of the enormous technical, political, and economic complexity of the existing ATM. An evolutionary approach is needed for each new step introduced. Thus, even if the system is ultimately to evolve to full automation, it would go through a series of stages, with humans retaining partial control to develop sufficient confidence to move to the next level of automation.

OCR for page 243
Aeronautical Technologies for the Twenty-First Century characteristically integrates all the cues and clues to arrive at an estimate of the situation (situation awareness). When various stressors are added, such as saturated work load, fatigue, certain prescription drugs, or circadian desynchronization, the pilot's divided-attention capability will degrade significantly. The pilot may appear to be quite normal as long as one thing can be handled at a time without consideration of other events, but the least overload can become catastrophic unless external surveillance and action intervene. Open-Loop Theories—Discrete Commands and Demands Slips and Mistakes At the open-loop command and data entry level, "slips" (an incorrect and inadvertent action) and "mistakes" (an incorrect intention), as proposed by Reason and Norman8,9,10 are constructs useful in ad hoc "explanations." These ideas could be very fruitful when an adequate aviation-oriented empirical data base is assembled. For example, a properly configured combined analytical/experimental effort in which ''slip rate" is linked quantitatively with divided attention parameters would be useful in predictions and assessments. Statistical Decision Theory Statistical decision theory also offers an excellent basis for discrete command situations.11 Empirical studies in ground transportation12 show that great insight can be gained into human errors due to decision making under stress by using such paradigms. This approach has been applied in an aeronautical application for pilot decision making in the presence of windshear possibilities.13 It should be much more fully exploited for other aeronautical applications. 8   Reason, J., and K. Mycielska. 1982. Absent Minded? The Study of Mental Lapses and Everyday Errors. Englewood Cliffs, N.J.: Prentice-Hall. 9   Reason, J. 1990. Human Error. Cambridge, England: Cambridge University Press. 10   Norman, D.A. Design rules based on analyses of human error. 1983. Communications of the ACM, 26. 11   McRuer, D., W. Clement, and W. Allen. 1980. A Theory of Human Error (NASA CR 166313). Moffett Field, Calif.: NASA Ames Research Center. 12   Schwartz, S.H., and R.W. Allen. 1978. A Decision Model Applied to Alcohol Effects on Driver Signal Light Behavior. In Proceedings of the Fourteenth Annual Conference of Manual Control (NASA CP-2060), 1978. Washington, D.C.: National Aeronautics and Space Administration. 13   Krendel, E.S., R.W. Allen, Z. Parseghian, and D. McRuer. 1988. Pilot Risk Assessment of Windshear Hazards (STI TR-1246-1). Prepared by Systems Technology under NASA Contract NAS 2-12540. Hawthorne, Calif: Systems Technology.

OCR for page 243
Aeronautical Technologies for the Twenty-First Century Theories for Closed-Loop Situations For piloted-control modes of the human/automation system, a predictive and quantitative theory of error has been proposed.14,15 This theory is capable of treating errors in piloted control situations due to information processing limits, cue impoverishment, overload, attention shifts and tunneling, fatigue, and other operator-centered variables. A perceptually centered generalization of this theory is applicable to monitoring and other tasks wherein the pilot is not directly engaged in action. Both aspects of this promising approach have yet to be thoroughly exploited. NASA should conduct broadly based, interdisciplinary research into the causes, nature, and alleviation of human error, with specific reference to airborne and ATM environments. Human and Systems Performance Measurement for Assessment of Human Error Potential Correlation of Theories with Available Data A great deal of anecdotal data are available from such sources as the ASRS; various breakdowns and classifications are also available from observational, accident, and postaccident analysis data bases and studies.16 These data are, as a minimum, "suggestive" because adequate theories of error must subsume them and "conclusions" that might be drawn from the various theories of human error must be consistent with the record. Attempting to correlate such descriptive and anecdotal data with the theories is an important feature in their further development. Suggestions about parameters, measures, and relevance follow directly from such efforts. Aviation-Relevant Scenarios and Experimental Outlines for Evolution and Validation of Theories Empirical evidence is needed to flesh out and further develop theories once they are brought to a level where they reflect current thinking. Detailed outlines of several aviation-relevant experimental scenarios pertinent to the particular theories should be developed as a next step. These outlines should include such pre-experimental analyses and drawing of tentative estimates as are possible with the state of the theory. Appropriate scenarios should be prepared for: (1) divided attention, (2) statistical decision making, (3) information and control closed-loop action theory, and (4) perceptually centered information and control closed-loop monitoring theory. 14   Singleton, op. cit. 15   Norman, op. cit. 16   Singleton, op. cit.

OCR for page 243
Aeronautical Technologies for the Twenty-First Century The scenario/outlines need to include tentative measures of human and automation performance and behavior. For example, divided-attention capability implies an ability to perceive, assess, and respond to myriad stimuli. Although objective measurements of this capability are straightforward in principle, they are task specific. The most promising theories and experiments should then be pursued as part of a continuing, long-range effort aimed at near perfection in accident reduction. Alleviation of Error—Error-Tolerant Systems Selection and Training The classic approach to enhance performance and reduce error is through selection and training. It is axiomatic that practice does make (almost) perfect, that performance directly reflects levels of practice. Thus, captains with low task orientation lead crews that commit more errors than captains with high task orientation. Crews that commit few errors tend to be better coordinated and to engage in explicit task-oriented conversation; further, crews that often fly together commit fewer errors than newly formed crews. Crew performance can be critically biased by the leader's (captain's) personality profile. Certain aspects of individual crew member behavior are associated with high levels of performance, including planning nominal and emergency flying operations, comparing actual with expected status, having high situational awareness, setting priorities, scheduling activities, and managing work load. All these attributes are fundamental to enhanced divided attention performance. At the team level, captains with poor interpersonal and information transfer skills lead crews that commit more errors. Thus, it is supportable that an individual's and a crew's abilities to cope with demands for divided attention are directly connected with operations free of grievous error. Research issues that can better define and perhaps improve matters include the definition of individual and crew characteristics; data presentation techniques associated with low-error performance on complex flight and controller tasks; training and selection techniques to develop individual and crew skills in these directions; and valid measures of individual and crew performance to assess the selection/training effects. Surveillance by Independent Systems The best way to eliminate error is to avoid it in the first place. Training and rehearsal, displays that indicate current status and estimate future status (including warning of grievous error possibilities), and surveillance by independent systems offer three means to this end. The assessment of error potential is a major possibility in the immediate future because of the enormous amount of human/automation system data available on modern and advanced automation systems. Independent monitoring systems can be very effective for surveillance and blunder avoidance. Expert systems providing advisories and checklists can act as crew

OCR for page 243
Aeronautical Technologies for the Twenty-First Century associates and monitors as well. Further, the pilot/crew status can also be assessed (e.g., with appropriate divided attention assessment measures). Operator Status Assessment Another way to avoid error is to ensure that operators who are to be active in the system are not impaired. Impairment has many causes, with fatigue, alcohol ingestion, and drugs being the most prominent in ground transportation. Alcohol and illegal drugs are not such a menace among flight crews, although there are instances of impairment due to these causes among cabin attendants, ground crews, and ATM operators. For in-flight operations, such impairment factors as fatigue and circadian desynchronization have been investigated extensively. However, few experiments have been accomplished in an aviation context in which the impairment measured is a reduction in divided attention capacity. Because divided attention deficits can play an important role in human error, this should be rectified. Many commonly used prescription drugs that are suspicious in this context have not been assessed for their effect on reducing divided attention. The means for assessment of operator impairment are not widespread by virtue of an emphasis on drug and performance testing in the public safety sector. Some of these derive from an aviation context.17 Operational Strategy and Tactics—Training for Abnormal Situations When avoidance is impossible, retreat is sometimes feasible. In human/automation systems this may take the form of changing the immediate purpose (e.g., embark on a go-around) or changing the system (e.g., switching from autoland to pilot-controlled landing). Training, rehearsal, and redundant or backup system modes are useful means of retreat. A key issue is to develop and validate training and operational strategy and tactics that are intrinsically tolerant to situations demanding divided attention operations by the individual or crew. Error-Tolerant Design Human/Automation System Interaction Characteristics The most common means of coping with error is to use the condition of error itself as a stimulus for human action; unique characteristics of human behavior are error correction, strategy switching, and goal changing. These features, respectively, are what manual piloting and pilot management of automation are all about. 17   Allen, R.W., A.C. Stein, and J.C. Miller. 1990. Performance Testing as a Determinant of Fitness-for-Duty (SAE Paper 901870). SAE Aerotech. Washington, D.C.

OCR for page 243
Aeronautical Technologies for the Twenty-First Century If manual piloting were the only factor involved, the keys to error-tolerant design would fundamentally involve the provision of "good" flying qualities in the traditional sense. These are obtained by tailoring effective aircraft dynamics using fly-by-wire stability and command augmentation systems, and excellent navigation, guidance, and control command and status properties from a complete flight director display. By providing all the appropriate cues and clues via the display content and form, pilot manipulators, and effective aircraft dynamics, maximum situation awareness is induced with minimum divided attention demands. This is a central theme in error-tolerant design of human/automation systems—maximize situation awareness and minimize divided attention demands by individuals and the crew as a whole. Similar principles apply when a greater amount of automation is considered beyond the combination of aircraft, SCAS, and flight director. The concept of "good" flying qualities is extended from those associated with piloted control to include intermittent pilot action, unattended pilot action, and crew-monitoring actions. Good intermittent or divided attention "flying qualities" are achieved via automatic flight control and flight management systems plus flight director and other monitoring displays that "behave" in a fashion similar to the pilot. Thus, the automatic system dynamics and behavior are akin to those the pilot would adopt. In essence, for a given system navigation/guidance mode the human/automation system dynamic behavior, and the cues and clues perceived by the pilot, posses universal general forms and response similarities (not necessarily in temporal detail) regardless of whether the pilot or automation is in active or monitoring role. Crew expectations and monitoring behavior are then similar, whether in manual or automatic control. Finally, good ''unattended operation flying qualities"—achieved by using appropriate flight control system hold modes, flight director, and monitoring displays—complete the picture. Training, rehearsal, and surveillance by independent systems (either automated or other crew personnel) are again part of the solution. However, the similarities of behavior across levels of active automation are particularly useful in this regard. For example, on the C-17 aircraft, it is expected that the pilot in training for piloted powered-lift approach and landing operations will attempt to emulate the autopilot (which is designed to behave like an extremely skilled pilot). For these error-tolerant design principles to play a role in advanced aircraft, they must be given more than the philosophical treatment noted here. The next steps include delineation and validation of the desired effective dynamics, as well as situation definition and monitoring variables for the mission phase/task matrix of transport aviation, including unusual and abort conditions. NASA's research in error alleviation should include systems that can detect developing critical situations, independent of the crew's alertness, and can inform and assist the crew regarding appropriate corrective measures; concepts, methods, criteria, and technology for error-tolerant system design; and

OCR for page 243
Aeronautical Technologies for the Twenty-First Century the development of prototype, ''massively smart" interfaces, both in the simulator and in the air, to gain experience within the industry and to demonstrate the technology to the industry. Situation Awareness Displays The general display concepts for monitoring, backup, and control described above are one set of situation awareness features. The basic principle is to present key cues in a form that permits the pilot to comprehend the current state immediately and to extrapolate. Divided attention among display symbols and elements is minimized, decision-making times are reduced, and command ambiguities are eliminated. It is important to note that "display," as used here, is not confined to visual instruments such as the flight situation display. Instead, the display of the cues and clues that underlie a high state of situation awareness is all encompassing. The display environment can include standard visual fields; visual display media acting as a surrogate, abstraction, or extension of ideal visual fields; supercue displays that provide virtual reality, prediction, and preview; proprioceptive displays of effector(s) and aircraft trim state(s); and three-dimensional auditory cuing. "Anything goes" that will enhance and simplify the crew's ability to appreciate current conditions and to anticipate or estimate the relevant short-term future states. Because the characteristics of the automation and displays are task dependent, the content and structure of the situation awareness displays, and the rest of the automation as well, are subject to transitions as mission phases shift. Easing these transitions (in displays and effective vehicle dynamics) can be critically important in error-tolerant system designs. NASA should conduct research to develop and demonstrate techniques to improve the pilot's situational awareness and spatial orientation. ASSURANCE OF VALID AND RELIABLE SYSTEM OPERATIONS In order to rely on highly automated systems in the conveyance of passengers aboard aircraft in the year 2020, we must have an extremely high confidence that the human and the automated systems involved will reliably perform the correct functions continuously. To begin with, consider the systems involved, which include the aircraft space positioning and surveillance functions (integration of the Global Navigational Satellite System, inertial navigation system, other sensors, data links, processing, and displays); aircraft navigation, guidance, flight management, and automatic flight control functions (integration of the space-positioning functions, ground-landing aid augmentations, flight management system, and autopilot/autoland/ground-control functions); ATM system (integration of in-flight and surface space positioning functions, ATM algorithms including four-dimensional flow management, ATM data links,

OCR for page 243
Aeronautical Technologies for the Twenty-First Century ATM processing and display systems, and automated tools for integrating four-dimensional and non-four-dimensional traffic); and aspects of the operating environment information that impact the automated ATM (e.g., winds aloft, severe weather, and vortex wake predictions). The issues associated with the effective human/automation interactions for these systems were addressed above. Research and technology development for ensuring valid and reliable operation of these very complex systems must be addressed with a total system perspective. This cuts across traditional NASA and FAA roles. NASA should work with FAA to address the total human/system concepts and develop methods to enure valid and reliable system operations. The Aerospace Industries Association (AIA) has identified highly reliable avionics as one of the critical technologies for the 1990s. 18 The AIA objective is to develop avionics that have no failures during the entire lifetime of an aircraft. This thinking should be extended to the total automated ATM system. NASA should extend its investigations of highly reliable avionics to total system concepts applicable to ATM automation, with FAA involvement. Assurance of valid and reliable software for systems with the complexity of an automated ATM system is a most challenging problem. It will take a much larger research and development investment to resolve than the amount NASA could reasonably invest, as well as talent not well represented in the NASA mix. However, NASA should contribute to coordinated multiagency efforts, such as the High-Performance Computing Initiative (HPCI), with this overall objective in mind. Some promising initial results have been obtained at Langley Research Center in computer-aided software generation and mathematical proof of correctness. Coupling these two activities might lead to a structured and user-friendly approach to precise statements of software specifications, computer-aided generation of software, and the mathematical proof of correctness or noncorrectness of the coded software. This appears to be feasible for small problems. If large, complex problems can be structured into a series of small problems with precisely definable interactions, the concept may extend to complex practical problems. EFFECTIVE MANAGEMENT AND DISTRIBUTION OF INFORMATION The availability of accurate, timely, and appropriate information at each element of the ATM is critical to the safety and performance of the total system. The elements include all classes of aircraft, all ground ATM centers, and transportation company operations centers. Information includes the following: in cockpits, all that is required for flying the aircraft, flight path management, traffic management systems, health and safety management, and efficient transportation operations; in ATM centers, all that is needed for en route, terminal area, and ground control and monitoring of aircraft and ground vehicle operations, independent 18   Aerospace Industries Association of America. 1987. Key Technologies for the 1990s—An Overview. Washington, D.C.

OCR for page 243
Aeronautical Technologies for the Twenty-First Century surveillance, and weather; and in company operation centers, all that is needed for scheduling and maintenance. The aircraft systems involved with acquisition, processing, management, and distribution of the required cockpit information are discussed primarily in Chapter 10. The challenge of ensuring that the systems involved in acquiring, managing, and distributing required information operate reliably has been discussed above. The challenge discussed here involves the information system sciences aspects and some human factors aspects of acquiring, processing, managing, and distributing the required information. Total System Perspective As in the challenge of ensuring valid and reliable system operations, the information system must be addressed with a total system perspective that cuts across not only NASA and FAA roles but also those of the National Oceanic and Atmospheric Administration, the International Civil Aviation Organization, and other relevant agencies. In considering the most effective information system to serve the ATM in 2020, an interagency task force should be convened to direct a total system analysis. In addition to defining the total systems requirements, it needs to address all potential sources of the required information. For example, for weather information these would include weather satellites, ground and ship stations, ground remote sensing, aircraft on-board sensors (winds, temperature, pressure, weather radar, and windshear detectors), and others. The task force needs to examine all the options for processing and managing the information (e.g., local processing of the sensor versus control processing; options for integrating and correlating information from multiple sources; options for storing, archiving, and retrieving information). Further consideration must be given to the options for transmitting and distributing the information among the various elements, including aircraft, ground stations, ships, and satellites. NASA can be an important contributor to the system analysis task force by providing technology options for sensors; processing (onboard aircraft and satellites, and massive ground-based processing); information storing, archiving, and retrieving; satellite communications; and human factors expertise on human/machine interfaces. Machine-Aided Information Acquisition, Processing, and Decision Making Functions such as error detection, reality checking, automated check pilot, and monitoring are features in all the "visions" described at the beginning of this chapter. The most pervasive component is error detection and monitoring, which is an enabling area if any of the visions are ever to be reduced to practice. Because no other focused effort will have as much impact on aviation safety, a major research and demonstration effort should be mounted in this area. Important issues to be explored and resolved are inferring pilot intent; evaluating the impact of errors; and display in a manner appropriate to the situation and to the crew's ability to accept and process the information.

OCR for page 243
Aeronautical Technologies for the Twenty-First Century Machine-Aided Information Acquisition At the information acquisition level, most of the technology challenges are in avionics and other sensor systems. The aspect considered here is the human interface to ensure the accuracy and appropriateness of the information, in particular, machine-aided information acquisition. The objective is to use the monitoring and analysis capabilities of machines to assess the accuracy and appropriateness of information as it is acquired and before it can "contaminate" the information system or human actions. For example, a pilot might misenter an altitude change in the autopilot after being assigned a new altitude, and a monitoring system would detect the error and advise the crew before the aircraft could respond to the erroneous command. Error detection and monitoring are among the most pervasive components necessary to enable practical implementation of any of the visions. Machine-aided information acquisition research should focus on crew information transfer issues, including consistency of intent and actions, and consistency of crew-perceived information and aircraft/systems configurations. A critical missing element in machine-aided information acquisition is the accurate and viable translation of voice communications into an electronic medium. Substantial improvements in voice recognition systems are needed to achieve the necessary confidence required to apply them as part of a critical monitoring system. Other potentially valuable acquisition systems include eye point-of-regard and sensor systems to infer operator status in terms of variables such as stress, boredom, and complacency. NASA should conduct research supporting the application of advanced machine-aided information acquisition from the human/machine interfaces. Information Processing and Management The predominant national and international research and development efforts in information sciences at large are focused on processing and management of information. It is expected that aeronautical systems will continue to exploit the resulting advances in hardware, software, systems concepts, and methodologies. As mentioned above, NASA can and should contribute to this area through participation in the HPCI as well as with specific focused programs to exploit this technology for air transport system problems. Again, those aspects of information processing and management associated with airborne systems are largely handled in Chapter 10 of this report. Advanced processing techniques, such as those embodied in artificial intelligence routines, should be considered for the machine-aided information acquisition systems discussed above, such as inferring crew intent and consistency checking. NASA has made important contributions to four-dimensional guidance algorithms and simulation techniques for ATM research and should continue to pursue that research as it moves toward a more automated system. The research should also consider methods for advanced rotorcraft to operate separately from normal traffic at major hubs and efficient techniques to integrate general aviation traffic into a highly automated system. The processing and management of vast amounts of information required for ATM and aviation weather services are critical to achieving the 2020 vision, but can probably be

OCR for page 243
Aeronautical Technologies for the Twenty-First Century implemented with the state-of-the-art concepts likely to be available without a specific NASA research and development program. Information Distribution The final factor is the distribution of information among the elements, which include communications and display systems. Chapter 10 deals with the associated airborne systems. The crew/operator interface with display systems has been addressed above. Options for voice and data communications among the various elements in the ATM, identified under the total systems analysis discussed in the paper by Billings 19 might include technology development requirements in which NASA could play a significant role. However, at this time it would appear that communication requirements can probably be implemented with the state-of-the-art concepts and systems likely to be available without a specific NASA research and development program. 19   Billings, op. cit.

OCR for page 243
Aeronautical Technologies for the Twenty-First Century This page in the original is blank.